That's not necessarily true. First, you can't be sure someone's actually working on bugs in any FOSS project unless there's some kind of assignment system in use. Remember, critical faults had been laying in common FOSS software for years sometimes. Second, you can never be sure the black hats came upon the fault first, already exploited it, and are just keeping their mouths shut to maximize the impact.
Having said that, this appears to be something of an intractable problem in that a necessary condition for fixing a fault is to make the fault known, which has the potential of making the problem (at least temporarily) worse. It's sort of like surgery: yes, it's often necessary, but opening someone up is never without risks. Heck, I don't even think formal verification can save us here since you can still have outside-context faults (I call them gestfaults) that combine quirks of multiple programs, each outside the others' scope.